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Abstract 

The multipath-rich wireless environment associated with typical wireless usage scenarios is char- 
acterized by a fading channel response that is time-varying, location-sensitive, and uniquely shared 
by a given transmitter-receiver pair. The complexity associated with a richly scattering environment 
implies that the short-term fading process is inherently hard to predict and best modeled stochastically, 
with rapid decorrelation properties in space, time and frequency. In this paper, we demonstrate how 
the channel state between a wireless transmitter and receiver can be used as the basis for building 
practical secret key generation protocols between two entities. We begin by presenting a scheme based 
on level crossings of the fading process, which is well-suited for the Rayleigh and Rician fading models 
associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates 
a self-authenticating mechanism to prevent adversarial manipulation of message exchanges during the 
protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in 
their underlying distribution, we present a second and more powerful approach that is suited for more 
general channel state distributions. This second approach is motivated by observations from quantizing 
jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a 
heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate 
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both proposed protocols through experimentations using a customized 802.11a platform, and show for 
the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order 
of 10 bits/second. 

I. Introduction 

The problem of secret key generation from correlated information was first studied by Maurer [39], 
and Ahlswede and Csiszar [4]. In a basic secret key generation problem, called the basic source model, 
two legitimate terminals (Alice and Bob|3 observe a common random source that is inaccessible to an 
eavesdropper. Modeling the observations as memoryless, we can define the model as follows: Alice and 
Bob respectively observe n independent and identically distributed (i.i.d.) repetitions of the dependent 
random variables X and Y, denoted by = (Xi,--- ,Xn) and = (Yi,-- - ,Yn). In any given 
time instance, the observation pair {Xi,Yi) is highly statistically dependent. Based on their dependent 
observations, Alice and Bob generate a common secret key by communicating over a public error-free 
channel, with the communication denoted collectively by V. 

A random variable K with finite range JC represents an e-secret key for Alice and Bob, achievable with 
communication V, if there exist two functions Ja, fs such that Ka = V), Kb = V), 

and for any e > 0, 

Pr(K = KA = KB)>l-e, (1) 

/(K;V)<e, (2) 

> log |/C| - e. (3) 

Here, condition ([T]) ensures that Alice and Bob generate the same secret key with high probability; 
condition Q ensures such secret key is effectively concealed from the eavesdropper observing the pubUc 
communication V; and condition ([3]) ensures such a secret key is nearly uniformly distributed. 

An achievable secret key rate R is defined [39], [4] to be a value such that for every e > and 
sufficiently large n, an e-secret key K is achievable with suitable communication such that ^H{K) > 
R — e. The supremum of all achievable secret key rates is the secret key capacity denoted by Csk- For 
the model presented above, this is given by [39], [4], [40], [42] 

CsK = I{X;Y). (4) 

'Unless otherwise specified, all the terminals in this paper refer to legitimate terminals, and hence the term "legitimate" will 
be omitted henceforth. 
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This result holds for both discrete and continuous random variables X and Y, as long as I{X; Y) is 
finite (cf. [62], [47]). 

The model defined above assumes the eavesdropper (i.e. Eve) may observe the transmissions on the 
public channel, but is unable to tamper with them and has no access to any other useful side information. 
The case of an eavesdropper with access to side information has received significant attention (see, e.g., 
[39], [4], [53], [19]); unfortunately the capacity problem remains open in this case. The case of an 
eavesdropper with the ability to tamper with the transmissions on the pubhc channel has been addressed 
in a comprehensive analysis by Maurer and Wolf [41], [43], [44], [45]. 

A practical implementation of secret-key agreement schemes follows a basic 3-phase protocol defined 
by Maurer et.ai. The first phase, advantage distillation [39], [15], is aimed at providing two terminals 
an advantage over the eavesdropper when the eavesdropper has access to side information. We do not 
consider this scenario (as we shall see shortly, it is not necessary for secrecy generation from wireless 
channels) and, therefore, do not address advantage distillation. 

The second phase, information reconciliation [8], [7], [14], is aimed at generating an identical random 
sequence between the two terminals by exploiting the public channel. For a better secret key rate, the 
entropy of this random sequence should be maximized, while the amount of information transmitted on 
the public channel should be minimized. This suggests an iimate connection between the information rec- 
onciUation phase of the secrecy agreement protocol and Slepian-Wolf data compression. This connection 
was formalized by [23] in the general setting of multi-terminal secrecy generation. 

The connection between secrecy generation and data compression is of significant practical, as well as 
theoretical interest. Considering the duality between Slepian-Wolf data compression and channel coding 
(e.g., [27], [35], [49], [20], [17], etc), the relationship between secrecy generation and data compression 
allows capacity-achieving channel codes, like Turbo codes or LDPC codes, to be used for the information 
reconcihation phase. Moreover, the capacity-achieving capabilities of such codes in the channel coding 
sense carry over to the secrecy generation problem. A comprehensive treatment of the apphcation and 
optimaUty of such codes to the secrecy generation problem can be found in [13], [12]. 

The last phase of Maurer's protocol, privacy amplification [9], [11], extracts a secret key from the 
identical random sequence agreed to by two terminals in the information reconciliation phase. This 
can be implemented by linear mapping and universal hashing [16], [57], [11], [45], or by an extractor 
[52], [45], [24], [25], [22]. The combination of the information reconciliation phase and the privacy 
amplification phase has been considered in [15], [61]. 

Perhaps the first practical application of the basic source model is quantum cryptography (cf. e.g., [10], 
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[46]), where non-orthogonal states of a quantum system provide two terminals correlated observations of 
randomness which are at least partially secret from a potential eavesdropper. Quantum key distribution 
schemes based on continuous random variables have been discussed in [28], [55], [13], [36]. Less 
realized is the fact that wireless fading channel provides another source [30], [62], [12] of secrecy which 
can be used to generate information-theoretically secure keys. Because the source model for secrecy 
estabhshment essentially requires a priori existence of a "dirty secret" which is then just cleaned up, such 
sources of secrecy are hard to find. To our knowledge no such sources other than quantum entanglement 
and wireless channel reciprocity have been identified to date. Further, we note that although there have 
been several implementations of quantum cryptographic key establishment, little work has been done to 
provide a system validation of this process for wireless channels. This paper examines both theoretical and 
practical aspects of key estabhshment using wireless channels and represents one of the first validation 
efforts to this effect. 

An alternative approach to secrecy generation from wireless channels is based on the wiretap channel 
models, see e.g. [12]. However, this approach suffers from a need to make certain assumptions as part of 
the security model that are hard to satisfy in practice and has not, to date, led to a practical implementation. 

A (narrowband) wireless channel is well modeled as a flat fading channel. The fading coefficient 
changes in time, but the change is rather slow (on the order of 1 msec to 1 sec, depending on terminal 
velocities and other factors). For simphcity, let us consider frequency flat fading. Roughly speaking, for 
a fixed time and location, the transmitted signal t and the received signal r are related via r = Ft + Z, 
where F is the channel fading coefficient and Z is the additive independent noise. If the transmitted 
signal t is known at the receiver beforehand, (e.g., it is a training sequence) then the receiver is able 
to obtain a noisy estimate of the fading coefficient F. Furthermore, if both terminals send the training 
sequence at approximately the same time (more precisely, well within one channel coherence time of 
each other), then they can obtain channel estimates that are highly correlated due to channel reciprocity. 
This suggests the following model: let the random variables X and Y be defined hy X = F + Za, 
Y = F + Zb, where F, Za, Zb are three independent random variables. 

In data communications application, it is common to model the channel as Rayleigh or Rician, in 
which case, F, Za and Zb are Gaussian. Let these be distributed as M{0, P), M{0, Na) and J\f{0, Nb) 
respectively. A simple calculation shows that the secret key capacity [62] of this jointly Gaussian model 
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If we let Na = Nb = N in this setting, then we get a natural definition of SNR as SNR = ^, and the 
above secret key capacity reduces to log2 ^1 + bits/sample. 

As noted, the above calculation is relevant for the traditional Rayleigh or Rician fading model, and 
serves as an upper bound on the secret key establishment rate, but does not provide insight into how one 
can practically extract such secret bits from the underlying fading process. In this paper, we examine 
two different approaches for secrecy extraction from the channel state between a transmitter and receiver 
in a richly scattering wireless environment. Our first approach, which is based on level-crossings, is a 
simple algorithm that is well-suited for environments that can be characterized as Rayleigh or Rician. 
However, we recognize that such a method might not apply to other, general fading cases. One way to 
address this problem is to consider more complex fading distribution models, such as those appropriate 
for ultrawideband channels. This has been addressed in a previous work by Wilson et. al [58] (see 
also [5], [31], [6]). However, we take a different approach in this paper. Inspired by our prior work on 
Gaussian-based approaches, we propose a universal reconciliation approaches for wireless channels. This 
second, and more powerful method, only assumes that the channel impulse responses (ClRs) measured 
at both terminals are highly correlated, and their measurement noise is very low. Whereas the first of 
our two approaches was simple, and able to achieve a hmited secret key estabUshment rate, our second 
approach is more complex, but is able to take better advantage of the secrecy capabiUties offered by 
CIR measurements, which tend to have high SNR (due to a high processing gain associated with such 
measurements in modem communication systems). 

In both of these cases, our goal is to come up with a practical approach to secrecy generation from 
wireless channel measurements. In particular, because the statistics of the real channel sources we utilize 
are not known (and that is the major challenge we believe addressed by our work), it is impossible to 
make any quantitative statements about optimality of our approaches. Nevertheless, we do want to make 
sure that our solution is based on solid theoretical foundation. To do so, we include discussion of the 
motivating algorithms and their performance in ideaUzed models when necessary. 

Several previous attempts to use wireless channels for encrypting communications have been proposed. 
Notably, [34] exploited reciprocity of a wireless channel for secure data transformation; [29] discussed 
a secrecy extraction scheme based on the phase information of received signals; the application of the 
reciprocity of a wireless channel for terminal authentication purpose was studied in [48], [59], [60], etc. 
Unlike these and other approaches, our approach for direct secrecy generation allows the key generation 
component to become a "black box" within a larger communication system. Its output (a secret bit 
stream) can then be used within the communication system for various purposes. This is important, as 
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the key generation rate is likely to be quite low, and thus direct encryption of data will either severely 
limit throughput (to less than 1 kbps in indoor channels) or result in extremely weak secrecy. 

The adversary model assumed in this paper focuses mainly on passive attacks. We do not consider 
authentication attacks, such as the man-in-the-middle attack, since these require an explicit authentication 
mechanism between Alice and Bob and cannot be addressed by key-extraction alone. The starting point 
for algorithms presented in this paper is the successive probing of the wireless channel by the terminals 
that wish to extract a secret key. Implicitly, we assume that the adversary is not engaging in an active 
attack against the probing process, though we note that physical layer authentication techniques, such 
as presented in [60] might be applicable in such an adversarial setting. The infeasibihty of passive 
eavesdropping attacks on the key generation procedures is based on the rapid spatial decorrelation of the 
wireless channel. We demonstrate this using empirically computed mutual information from the channel- 
probing stage, between the signals received at Bob and Eve and comparing it with the mutual information 
between the signals received at Alice and Bob. Beyond the basic eavesdropping attack, we do consider a 
particular type of active attack in our level-crossing algorithm in Section 11, where the adversary attempts 
to disrupt the key extraction protocol by replacing or altering the protocol messages. In this case, we 
provide a method to deal with this type of active attack by cleverly using the shared fading process 
between Alice and Bob. 

One of the goals of our work is to demonstrate that secrecy generation can be accomphshed in 
real-time over real channels (and not simulation models) and in real communication systems. To that 
end, results based on implementations on actual wireless platforms (a modified commercial 802. 1 1 a/g 
implementation platform) and using over-the-air protocols are presented. To accomplish this, we had to 
work with several severe limitations of the experimental system at our disposal. Consequently certain 
parameters (e.g. code block length) had to be selected to be somewhat below what they should be for 
a well-designed system. This, however, does not reflect on the feasibihty of proper implementation in a 
system with these features designed in. For example, nothing would prevent a design with the code block 
length sufficiently long to guarantee desired performance. On the contrary, we believe the demonstration 
of a practical implementation to be one of the major contributions of our work. 

The rest of this paper is organized as follows. Section IT discusses the simpler of our algorithms based 
on level crossings. Section m presents a more complex and more powerful approach to extracting secret 
bits from the channel response, as well as some new results on secrecy generation for Gaussian sources 
which motivate our solution. We conclude the paper with some final remarks in Section IV. 
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II. Level Crossing Secret Key Generation System 

In this section we describe a simple and lightweight algorithm in [38] for extracting secret bits from 
the wireless channel that does not explicitly involve the use of coding techniques. While this comes at 
the expense of a lower secret key rate, it reduces the complexity of the system and it still provides a 
sufficiently good rate in typical indoor environments. The algorithm uses excursions in the fading channel 
for generating bits and the timing of excursions for reconciliation. Further, the system does not require 
i.i.d. inputs and, therefore, does not require knowledge of the channel coherence time a priori. We refer 
to this secret key generation system as the level crossing system. We evaluate the performance of the 
level crossing system and test it using customized 802. 1 1 hardware. 

A. System and Algorithm Description 

Let F{t) be a stochastic process corresponding to a time-varying parameter F that describes the 
wireless channel shared by, and unique to Alice and Bob. Alice and Bob transmit a known signal (a 
probe) to one another in quick succession in order to derive correlated estimates of the parameter F, 
using the received signal by exploiting reciprocity of the wireless link. Let X and Y denote the (noisy) 
estimates of the parameter F obtained by Alice and Bob respectively. 

Alice and Bob generate a sequence of n correlated estimates X" = (Xi, X2, . . . , X„) and = 
(Yi, 12, . . . , y„), respectively, by probing the channel repeatedly in a time division duplex (TDD) manner. 
Note however, that Xi (and Yi) are no longer i.i.d. for i = 1, . . . n since the channel may be strongly 
correlated between successive channel estimates. 

Alice and Bob first low-pass filter their sequence of channel estimates, X" and Y^ respectively, by 
subtracting a windowed moving average. This removes the dependence of the channel estimates on 
large-scale shadow fading changes and leaves only the small scale fading variations (see Figure The 
resulting sequences, X" and y" have approximately zero mean and contain excursions in positive and 
negative directions with respect to the mean. The subtraction of the windowed mean ensures that the 
level-crossing algorithm below does not output long strings of ones or zeros and that the bias towards one 
type of bit is removed. The filtered sequences are then used by Alice and Bob to build a 1-bit quantizer 
ip^{-) quantizer based on the scalars (7" and (7" that serve as threshold levels for the quantizer: 

ql = meaniU"^) + a ■ aiU"^) (6) 
q"^ = mean{U'')-a-a{U''), (7) 



October 27, 2009 



DRAFT 



8 



where the sequence C/" = X" for Alice and C/" = for Bob. a{-) is the standard deviation and the 
factor a can be selected to control the quantizer thresholds. The sequences X" and are then fed into 
the following locally-computed quantizer at AUce and Bob respectively: 

1 if X > 
= < if X < g!l 
e Otherwise 

V 

where e represents an undefined state. The superscript u stands for user and may refer to either Ahce, in 
which case the quantizer function is or to Bob, for which the quantizer is V'^( )- This quantizer 

forms the basis for quantizing positive and negative excursions. Values between and are not 
assigned a bit. 

It is assumed that the number n of channel observations is sufficiently large before using the level 
crossing system, and that the z*'* element Xi and Yi correspond to successive probes sent by Bob and 
Alice respectively, for each i = 1, . . . ,n. The level crossing algorithm consists of the following steps: 

1) AUce parses the vector X" containing her filtered channel estimates to find instances where m or 
more successive estimates lie in an excursion above g+ or below Here, m is a parameter used 
to denote the minimum number of channel estimates in an excursion. 

2) Ahce selects a random subset of the excursions found in step 1 and, for each selected excursion, 
she sends Bob the index of the channel estimate lying in the center of the excursion, as a list 
L. Therefore, if > or < g_ for some i = igtart, ■ ■ ■ j^end^ then she sends Bob the index 

^center — [ '''"'"'2^ J • 

3) To make sure the L-message received is from Alice, Bob computes the fraction of indices in L 
where lies in an excursion spanning (m — 1) or more estimates. If this fraction is less than 
^ + e, for some fixed parameter < e < i, Bob concludes that the message was not sent by Alice, 
implying an adversary has injected a fake L-message. 

4) If the check above passes. Bob rephes to Ahce with a message L containing those indices in L 
at which Y"' lies in an excursion. Bob computes Kb = ijj^{Yi;i G L) to obtain N bits. The first 
Nau bits are used as an authentication key to compute a message authentication code (MAC) of 
L. The remaining N — Nau bits are kept as the extracted secret key. The overall message sent by 
Bob is ^L,MAC (^Kau,Lj^. Practical implementations, for example, one could use CBC-MAC 
as the implementation for MAC, and use a key Kau of length Nau = 128 bits. 

5) Upon receiving this message from Bob, Alice uses L to form the sequence of bits Ka = i^^{Xi;i € 
L). She uses the first Nau bits of Ka as the authentication key Kau = Ka{1, • • • , Nau), and, using 
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Kau, she verifies tiie MAC to confirm that the package was indeed sent by Bob. Since Eve does 
not know the bits in Kau generated by Bob, she cannot modify the L-message without faiUng the 
MAC verification at Alice. 
Figure [T] shows the system-level operation of the level crossing algorithm. We show later that provided 
the levels , g_ and the parameter m are properly chosen, the bits generated by the two users are 
identical with very high probability. In this case, both Alice and Bob are able to compute identical key 
bits and identical authentication key bits Kau, thereby allowing Alice to verify that the protocol message 
L did indeed come from Bob. Since Eve's observations from the channel probing do not provide her 
with any useful information about X"- and Y^, the messages L and L do not provide her any useful 
information either. This is because they contain time indices only, whereas the generated bits depend 
upon the values of the channel estimates at those indices. 

B. Security Discussion for the Level-crossing Algorithm 

The secrecy of our key establishment method is based on the assumption that Alice and Bob have 
confidence that there is no eavesdropper Eve located near either Alice or Bob. Or equivalently, any 
eavesdropper is located a sufficient distance away from both Alice and Bob. In particular, the fading 
process associated with a wireless channel in a richly scattering environment decorrelates rapidly with 
distance and, for two receivers located at a distance of roughly the carrier wavelength from each other, the 
fading processes they each witness with respect to a transmitter will be nearly independent of each other 
[32]. For a Rayleigh fading channel model, if hba and h^e are the jointly Gaussian channels observed 
by Alice and Eve due to a probe transmitted by Bob, then the correlation between hi,a and /i^g can be 
expressed as a function of the distance d between Alice and Eve, and is given by jQ{2iTd/X), where 
Jo{x) is the zeroth-order Bessel function of the first kind, d is the distance between Alice and Eve, and 
A is the carrier wavelength. Hence, because of the decay of Jo{x) versus the argument x, if we are given 
any e > 0, it is possible to find the minimum distance d that Eve must be from both Alice and Bob such 
that the mutual information I{hba',hbe) < e. 

Further, we note that the statistical uniformity of the bit sequences that are extracted by Alice and Bob 
using our level-crossing algorithm is based on the statistical uniformity of positive and negative excursions 
in the distribution of the common stochastic channel between them. This inherently requires that the 
channel state representation for the fading process be symmetrically distributed about the distribution's 
mean. Many well-accepted fading models satisfy this property. Notably, Rayleigh and Rician fading 
channels [33], which result from the multiple paths in a rich scattering environment adding up at the 
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receiver with random phases, fall into this category. Consequently, we believe that the reUance of level- 
crossing algorithm on the underlying distribution symmetry, suggests that the level-crossing algorithm 
is best suited for Rayleigh or Rician fading environments. The independence of successive extracted 
bits follows from the fact that the excursions used for each bit are naturally separated by a coherence 
time interval or more, allowing the channel to decorrelate in time. Finally, we note that our approach 
does not preclude a final privacy amplification step, though apphcation of such a post-processing step 
is straightforward and might be desirable in order to ensure that no information is gleaned by an 
eavesdropper. 

C. Performance Evaluation and Experimental Validation 

The central quantities of interest in our protocol are the rate of generation of secret bits and the 
probability of error. The controls available to us are the parameters: q^,q''^,rn and the rate at which 
Alice and Bob probe the channel between themselves, fg. We assume the channel is not under our 
control and the rate at which the channel varies can be represented by the maximum Doppler frequency, 
fd- The typical Doppler frequency for indoor wireless environments at the carrier frequency of 2.4 GHz 
is /d = X '"^ ^3xi(^^ ~ ^ assuming a velocity v of 1 m/s. We thus expect typical Doppler frequencies 
in indoor environments in the 2.4 GHz range to be roughly 10 Hz. For automobile scenarios, we can 
expect a Doppler of ~ 200 Hz in the 2.4 GHz range. We assume, for the sake of discussion, that the 
parameter of interest, F is a Gaussian random variable and the underlying stochastic process F{t) is a 
stationary Gaussian process. A Gaussian distribution for F may be obtained, for example, by taking F to 
be the magnitude of the in-phase component of a Rayleigh fading process between Alice and Bob [51]. 
We note that the assumption of a Gaussian distribution on F is for ease of discussion and performance 
analysis, and our algorithm is vahd in the general case where the distribution is symmetric about the 
mean. 

The probabiUty of error, pe is critical to our protocol. In order to achieve a robust key-mismatch 
probabihty pk, the bit-error probabiUty Pe must be much lower than p^. A bit-error probabiUty of pe = 
10~^ ~ 10~^ is desirable for keys of length TV = 128 bits. The probability of bit-error, pe is the probability 
that a single bit generated by AUce and Bob is different at the two users. Consider the probability that 
the z*'* bit generated by Bob is "ivT^ = 0" at some index given that Alice has chosen this index, but she 
has generated the bit ''K\ = 1". As per our Gaussian assumption on the parameter F and estimates X 
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and Y, this probability can be expanded as 



s PrfET^R = 0, Ki = 1) 
Pr(K^ = 1) 



/ / ••• / ffii:7TT7^exp{-ix^AV^_ix}ci!(' 



2m-l) 



X 



(2m— 1) terms 



POO /'OO 

/ .../ (|l^exp{-ix^i^^^ix}dMx 



(m) terms 

where is the covariance matrix of m successive Gaussian channel estimates of Alice and i^2m-i 
is the covariance matrix of the Gaussian vector {Xi,Yi, X2, ■ ■ ■ ,Ym-i, Xm) formed by combining the 
m channel estimates of Alice and the m — 1 estimates of Bob in chronological order. The numerator in 
dS) is the probability that of 2m — 1 successive channel estimates (m belonging to Alice, and m — 1 for 
Bob), all m of Alice's estimates lie in an excursion above g+ while all m — 1 of Bob's estimates lie in 
an excursion below (/_. The denominator is simply the probability that all of Alice's m estimates he in 
an excursion above g+. 

We compute these probabilities for various values of m and present the results of the probability 
of error computations in Figure |2l The results confirm that a larger value of m will result in a lower 
probability of error, as a larger m makes it less likely that Alice's and Bob's estimates lie in opposite 
types of excursions. Note that if either user's estimates do not lie in an excursion at a given index, a bit 
error is avoided because that index is discarded by both users. 

How many secret bits/second (bps) can we expect to derive from a fading channel using level crossings? 
An approximate analysis can be done using the level-crossing rate for a Rayleigh fading process, given 
by LCR = V2^fdpe'P^ [51], where fa is the maximum Doppler frequency and p is the threshold level, 
normalized to the root mean square signal level. Setting p = I, gives LCR ~ fd- This tells us that we 
cannot expect to obtain more secret bits per second than the order of f^. In Figure [3] (a) and (b), we 
plot the rate in s-bits/sec as a function of the channel probing rate for a Rayleigh fading channel with 
maximum Doppler frequencies of fd = 10 Hz and fd = 100 Hz respectively. As expected, the number 
of s-bits the channel yields increases with the probing rate, but saturates at a value on the order of fd- 

In order for successive bits to be statistically independent, they must be separated in time by more 
than one coherence time interval. While the precise relationship between coherence time and Doppler 
frequency is only empirical, they are inversely related and it is generally agreed that the coherence time 



is smaller in magnitude (Coherence time Tc, is sometimes expressed in terms of fd as Tc ~ ^/ xgfjr) 
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than 1/ fd- Therefore, on average, if successive bits are separated by a time interval of 1/ fd, then they 
should be statistically independent. 

More precisely, the number of secret bps is the number of secret bits per observation times the probing 
rate. Therefore 

Rk = Hibins) X Pr(M = ETU x — (9) 

m 




(2m— 1) terms 



where H{bins) is the entropy of the random variable that determines which bin (> or < g_) of 
the quantizer the observation lies in, which in our case equals 1 assuming that the two bins are equally 
likel>0. The probing rate fg is normalized by a factor of ni because a single 'observation' in our algorithm 
is a sequence of m channel estimates. 

Figure [3] confirms the intuition that the secret bit rate must fall with increasing m, since the longer 
duration excursions required by a larger value of m are less frequent. In Figure Ufa), we investigate how 
the secret-bit rate Rk varies with the maximum Doppler frequency fd, i.e., the channel time-variation. 
We found that for a fixed channel probing rate (in this case, fg = 4000 probes/sec), increasing fd results 
in a greater rate but only up to a point, after which the secret-bit rate begins to fall. Thus, 'running faster' 
does not necessarily help unless we can increase the probing rate fs proportionally. Figure l^b) shows 
the expected decrease in secret-bit rate as the quantizer levels the value of a is varied to move and 
further apart. Here, a denotes the number of standard deviations from the mean at which the quantizer 
levels are placed. 

We examined the performance of the secrecy generation system through experiments. The experiments 
involved three terminals, Alice, Bob and Eve, each equipped with an 802.11a development board. 

In the experiments, Alice was configured to be an access point (AP), and Bob was configured to be a 
station (STA). Bob sends Probe Request messages to Alice, who replies with Probe Response messages as 
quickly as possible. Both terminals used the long preamble segment [2] of their received Probe Request 
or Probe Response messages to compute 64-point CIRs. The tallest peak in each CIR (the dominant 
multipath) was used as the channel parameter of interest, i.e., the X and Y sample inputs to the secret 

^The levels q+ and g_ are chosen so as to maintain equal probabilities for the two bins. 
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key generation system. To access such peak data, FPGA-based customized logic was added to the 802.11 
development platform. Eve was configured to capture the Probe Response messages sent from Alice in 
the experiments. 

Two experiments were conducted. In the first experiment, Alice and Eve were placed in a laboratory. 
In a second experiment, Alice and Eve remained in the same positions while Bob circled the cubicle 
area of the office. 

Figure [Sfa) shows an example of Alice's, Bob's, and Eve's 64-point CIRs obtained through a single 
common pair of Probe Request and Probe Response messages. It is seen from the figure that Alice's 
and Bob's CIRs look similar, while they both look different from Eve's CIR. We show the traces for 
Alice and Bob resulting from 200 consecutive CIRs in Figure [5lb). The similarity of Alice's and Bob's 
samples, as well as their difference from Eve's samples, are evident from the figure. 

While our experiments ran for ~ 22 minutes, in the interest of space and clarity we show only 700 
CIRs collected over a duration of ~ 77 seconds. Each user locally computes (7+ and g_ as in (|6]l, i^. 
We chose a = | for our experiments. 

Figure |6] shows the traces collected by Alice and Bob after removal of slow shadow fading components 
using a simple local windowed mean. This is to prevent long strings of Is and Os, and to prevent the 
predictable component of the average signal power from affecting our key generation process. Using the 
small scale fading traces, our algorithm generates N = 125 bits in 110 seconds (m = 4), yielding a key 
rate of about 1.13 bps. Figure |6] shows the bits that Eve would generate if she carried through with the 
key-generation procedure. The results from our second experiment with a moving Bob are very similar 
to the ones shown for the first experiment, producing 1.17 bps. with m = 4 and a = |. Note that while 
figures |3] and |4] depict the secret bit rate that can be achieved for the specified values of Doppler frequency, 
our experimental setup does not allow us to measureably control the precise Doppler frequency and the 
secret bits rates we report from our experiments correspond only the indoor channel described. 

In order to verify the assumption that Eve does not gain any useful information by passive observation 
of the probes transmitted by Alice and Bob, we empirically computed the mutual information using the 
method in [56] between the signals received at the legitimate users and compare this with that between 
the signals received by Eve and a legitimate user. The results of this computation, summarized in Table Jl 
serve as an upper bound to confirm that Eve does not gather any significant information about the signals 
received at Alice and Bob. Although this information leakage is minimal relative to the mutual information 
shared between Alice and Bob, it might nonetheless be prudent to employ privacy amplification as a post- 
processing to have a stronger assurance that Eve has learned no information about the key established 
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between Alice and Bob. Finally, we note that with suitable values of the parameters chosen for the level 
crossing algorithm, the bits extracted by Alice and Bob are statistically random and have high-entropy 
per bit. This has been tested for and previously reported in [38] using a suite of statistical randomness 
tests provided by NIST [3]. 

III. Quantization-Based Secret Key Generation for Wireless Channels 

We now present a more powerful and general approach than the level-crossing approach discussed in 
Section II for obtaining secret keys from the underlying fading phenomena associated with a with a richly 
scattering wireless environment. Whereas the level-crossing algorithm was best suited for extracting keys 
from channel states whose distributions are inherently symmetric, our second approach is applicable to 
more general channel state distributions. Further, this second approach approach is capable of generating 
significantly more than a single bit per independent channel realization, especially when the channel 
estimation SNRs are high. 

To accomplish this we propose a new approach for the quantization of sources whose statistics are 
not known, but are believed to be similar in the sense of having "high SNR" - a notion we shall define 
more precisely below. Our quantization approach is motivated by considering a simpler setting of a 
Gaussian source model and addressing certain deficiencies which can be observed in that model. This 
problem has been addressed by [62] using a simple "BICM-like" approach [13] to the problem. A more 
general treatment which introduces multi-level coding can be found in [13] and also [12], however for our 
purposes, the simple "BICM-like" approach of [62] and [13] is sufficient. To motivate our approach to 
"universal" quantization we need to take this solution and improve on it - the process which we describe 
next. 

A. Over-quantized Gaussian Key Generation System 

We begin our discussion of the over-quantized Gaussian Key Generation System by reviewing the 
simple approach to the problem described in [62]. A block diagram of a basic secret key generation 
system is shown in Figure |7] Alice's secrecy processing consists of four blocks: Quantizer, Source Coder, 
Channel Coder and the Privacy Amplification (PA) process. The Quantizer quantizes Alice's Gaussian 
samples X^. The Source Coder converts the quantized samples to a bit string X^. The Channel Coder 
computes the syndrome S of the bit string X^. A rate 1/2 LDPC code is used in [62]. This syndrome 
is sent to Bob for his decoding of X;,. As discussed in Section I, the transmission of the syndrome is 
assumed to take place through an error-free public channel; in practice this can be accomplished through 
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the wireless channel with the use of standard reliability techniques (e.g., CRC error control and ARQ). 
Finally, privacy amplification (if needed) is implemented in the PA block. 

Figure [8ta) present the results obtained by using various algorithm options discussed in [62]. We 
observe from this figure that at high SNR (> 15dB), the secret key rates resulting from Gray coding are 
within 1.1 bits of the secret key capacity ([S]). However, the gap between the achieved secret key rates and 
the secret key capacity is larger at low SNR. In this sub-section, we demonstrate how the basic system 
can be improved such that the gap at low SNR is reduced. We restrict ourselves to Gray coding, as this 
is clearly the better source coding approach. 

We start with the observation that the quantization performed by Alice involves some information 
loss. To compensate for this, Alice could quantize her samples at a higher level than the one apparently 
required for the basic secret key generation purpose. Suppose that quantization to v bits is required by 
the baseline secrecy generation scheme. Alice then quantizes to ?; + m bits using Gray coding as a source 
coder. We refer to the v most significant bits as the regularly quantized bits and the m least significant 
bits as the over-quantized bits. The over-quantized bits B are sent directly to Bob through the error-free 
public channel. 

The Channel Decoder (at Bob) uses the syndrome S of the regularly quantized bits X;,, the over- 
quantized bits B and Bob's Gaussian samples y" to decode X^. Again, it applies the modified belief- 
propagation algorithm (cf. [35]), which requires the per-bit LLR. The LLR calculation is based on both 
and B. 

Suppose one of Alice's Gaussian samples X is quantized and Gray coded to bits (^6,1, • • • , Xb^^+m)- 
With Bob's corresponding Gaussian sample Y and Alice's over-quantized bits (X5 t,+i, • • • = 
(a„+i, • • • , av+m), the probability of X5 j, 1 <i <v, being is derived below: 

Pl'(-'^b,i = 0|y = y, Xb,t,+1 = at,+i, • • • , Xij^yj^m = a^+m) 
_ Pl'(Xb^i = 0, Xb^y^i = Qy+i, ■ ■ ■ , Xb^jj^ = ay+rn\Y = y) 
Pl'(-'^6,i>+l = 0,v+l, • • • , Xb,Vr„ = 0.v+m\Y = v) 
Ef=r P^(gi-l <X< qj\Y = y)lc.^^^(,_i)=o • • • • lG:X-^j.i)=a^^^ ^^^^ 

Ef=r Pr(^i-i <X< qj\Y = y) ■ lGlXl^j.,)=a.^, ■ ■ ■ lGlX-ij-l)=a.^^ 
where 1 is an indicator function and the function G^O), 1 < i < A;, < j < 2^^ — 1, denotes the i*^ 
bit of the fc-bit Gray codeword representing the integer j. The quantization boundaries %<■■■< q2^+m 
depend on the quantization scheme used. For instance, the quantization boundaries of the equiprobable 
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quantizer satisfy 

1"^^ 1 x2 1 



e-^dx = ——, j = l,--- ,2^^+"^. (11) 



Now, 



' 2PN+N'' I \ / 2PN+N^ 

P+N / \ V P+iV 



where the function g{k,y), < k < 2^+™, is defined as 

/ - _ p 



g{k,y)=Q\ , (12) 



and Q is the usual Gaussian tail function [50]. Hence, the probability of dTOl ) is given by 

(j-l)=a„ 



Ej=i b(i - 1, y) - 2/)] • iGj.+„{i-i)=o • iG^+i„o--i)=a„+i • • • 1g^+^ 



(13) 



It should be noted that when equiprobable quantization is used, the over-quantized bits B and the regularly 
quantized bits Xf, are independent as shown below. Suppose a sample X is equiprobably quantized and 
source coded to t bits • • • , Xi,,t)- For an arbitrary bit sequence (ai, • • • , a^) and a set 5 C T = 

{1, • • • , t}, we have 

Pr ({Xfo^i = : z G T\cS}) 

2-l'5|=Pr({Xfe,i = ai:iG5}), 



2-(*-l<s|) 



which implies the amount of secrecy information remaining in X;, after the public transmission is at least 
|Xfc| - |S| bitsS Note that this conclusion does not hold for other quantization approaches (e.g., MMSE 
quantization) and, therefore, equiprobable quantization should be used if over-quantization is applied. 

On the other hand, it is implied by (fT3] ) that the over-quantized bits B and the regularly quantized 
bits Xfc are dependent given Bob's samples 1"". Hence, /(Xft;B|y") > 0. It follows from the Slepian- 
Wolf theorem (cf. [21]) that with the availability of the over-quantized bits B, the number of syndrome 

^Relying on hash functions for privacy amplification requires the use of Renyi entropy. However, we can use [11, Theorem 
3] to equivocate Renyi and Shannon entropies. 
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bits |S| required by Bob to successfully decode X;, is approximately H{'X.h\Y"' ,'B), which is less than 
i/(X;,|y"), the number of syndrome bits transmitted in the basic system. In other words, the secret 
key rate achieved by the over-quantized system is approximated by ^/(Xft; Y^, B), which is larger than 
^/(X^; y"), the secret key rate achieved by the basic system. 

To obtain an upper limit on the performance improvement that over-quantization may provide us, 
we can imagine sending the entire (real-valued) quantization error as a side information. There are a 
number of issues with this approach. Clearly, distortion-free transmission of real-valued quantities is not 
practically feasible. However, as we are looking for a bound, we can ignore this. More importantly, the 
transmission of raw quantization errors may reveal information about X;,. For example, to equiprobably 
quantize a zero mean, unit variance Gaussian random variable with 1 bit per sample, the quantization 
intervals are (— cxd,0] and (0,cxd), with respective representative value -0.6745 and 0.6745. Suppose a 
sample X is of value 2, then its quantization error is 2 — 0.6745 = 1.3255. This implies that X must 
be in the interval (0, oo), since otherwise, the quantization eiTor does not exceed 0.6745. Thereby, it 
is necessary to process the raw quantization errors such that the processed quantization errors do not 
contain any information about X;,. For this purpose, it is desirable to transform quantization errors to 
uniform distribution. To do so, we first process an input sample X with the cumulative distribution 
function (CDF) of its distribution and then quantize. The transformed quantization error is then given by 
E = (j) (X) — <p {q{X)), where (/>(x) is the CDF for X and q{X) is the representative value of the interval 
to which X belongs. The quantization errors i?" = {Ei, ■ ■ ■ ,En), which are then uniformly distributed 
on [— 2^(^+^), 2^("+^)] , are sent to Bob through the error-free public channel. 

The rest of the process (encoding/decoding and PA) proceeds as before. However, the LLR computation 
must be modified to use probability density functions, rather than probabilities: 



for -2-(^+^) < e < 2~(''+i\ 1 <j < 2", with the function cp being the CDF for X. The derivation of 
([141 ) is similar to that of (fT3l ). which is omitted here. 

Figure [8tb) shows simulation results for 2-bit over-quantization and the upper bound. We note, as 
expected, that the overall gap to capacity has been reduced to about 1.1 dB at the low-SNR. 




(14) 



where the function G\{j) is defined in ( fTOl ) and the function h{e,j,y) is defined as 
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B. A Universal Secret Key Generation System 

In the previous sub-section we discussed secret key generation for a jointly Gaussian model. The 
random variables X and Y in the model are jointly Gaussian distributed and the distribution parameter 
SNR is known at both terminals. However, in many practical conditions, the correlated random variables 
at the two terminals may not be subject to a jointly Gaussian distribution, and the distribution parameters 
are usually unknown or estimated inaccurately. 

We address this problem by describing a method for LLR generation and subsequent secrecy generation 
that makes very few assumptions on the underlying distribution. As we shall see this method is largely 
based on the over-quantization idea we introduced above. 

1 ) System Description: Compared to the basic system (Figure |7]) developed for the Gaussian model, 
the universal system includes two additional Data Converter blocks (one at Alice; the other at Bob), and 
modified Quantizer and Channel Decoder blocks. The inputs to Alice's Data Converter blocks are X"^ 
and the outputs of Alice's Data Converter block are sent to the modified Quantizer block. The inputs 
to Bob's Data Converter blocks are and the outputs of Bob's Data Converter block are sent to the 
modified Channel Decoder block. 

The purpose of the Data Converter is to convert the input samples X", to uniformly distributed 
samples [/", F", where Ui,Vi G [0, 1). The conversion is based on the empirical distribution of input 
samples. Given the i^^ sample Xi of input samples X", denote by Kn{Xi) the number of samples in X^ 
which are strictly less than Xi plus the number of samples in X" which are equal to Xi but their indices 
are less than i. The output of the Data conversion block corresponding to Xi is given by Ui = EA^^A_ 

To justify the use of this approach, we show that U"' asymptotically tends to an i.i.d. sequence, each 
uniformly distributed between and 1. Thus, while for any finite block length the sequence [/" is 
not comprised of independent variables, it is assymtotically i.i.d. uniform. Consider an i.i.d. sequence 
X" = (Xi,--- ,Xn) . Denote by the actual CDF of X^. Let Wi = (piXi), i = Then 
Wi, • • • , Wn is an i.i.d. sequence, each uniformly distributed between and 1. Hence, it suffices to show 
that the sequence [/" converges to the sequence W"^. 

Convergence of the empirical distribution to the true distribution is a well-established fact in probabiUty 
known as the Glivenko-Cantelli Theorem [54]. However, we need a stronger statement which gives the 
rate of such convergence. This is known as the Dvoretzky-Kiefer-Wolfowitz Theorem [26] and is stated 
in the following lemma. 

Lemma 1: [26] Let Xi, - ■ ■ ,Xn be real-valued, i.i.d. random variables with distribution function F. 
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Let Fn denote the associate empirical distribution function defined by 

1 " 

For any e > 0, 



1=1 



Pr ( sup \Fn{x) - F{x)\ > e] < 2e 



(15) 
□ 



We will also need the notion of a convergence of random sequences [18]. The L^-norm of a 
sequence X", p > 1, is defined by HX^Hp = (Yli l^iD^- ^ sequence X" is said to converge in 
to y", < p < oo, if lim„_oo'? [||X" - = 0. We then have the following lemma [18, Theorem 

4.1.4]. 

Lemma 2: If a sequence X" converges to another sequence in L^, < p < oo, then X"' converges 



to y" in probability. 

We can now show the desired statement. 

Theorem 1: The sequence converges to the sequence in probability. 

Proof: According to Lemma[2l we only need to show lim„^oo — ^"lU] = 0. Here, 



□ 



f[||C/" - W^"||4] = £ 



1=1 

Y,£[\Ui-Wi\' 



<\£ 



(16) 



For any i = 1, - ■ ■ , n, we have 

£[\U.,-W^\''] = 

< 



Pr {\Ui - Wi^^ >u)du = Pr (\Ui - Wi\ > ni) 



du 



where (fTTl) follows from (ITSl) . By letting t = ^Ju and integrating by parts, we show 



-2n 







n 



(2 + -)<-. 

n 



(17) 



(18) 



Combining (fT6l ) and (fTSl ). we obtain 



\i=\ 



n 4 . 



□ 



which tends to as n ^ cxd. This completes the proof of the theorem. 

The conversion from X" (or y") to [/" (or V^) can be accomplished using a procedure that requires 
no computation and relies only on a sorting algorithm. It has the important side benefit that the output is 
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inherently fixed-point, which is critical in the implementation of most modem communication systems. 
Let A be the number of bits to be used for each output sample Ui. This imphes that Ui is of value 
< i < 2^ — 1. Denote by C{j), < j < 2^, the number of output samples of value The values 
of C(j) are determined by the following pseudo-code: 



C(0) ^ 0; 






for i = 1 to 2^ 






j-n 




end 







where [x\ is the largest integer less than x. For an input sample Xi with 

k k+1 

J2C{j)<Kr,{Xi)<J2C{j), 

j=o j=0 

the corresponding output Ui is given by 

To efficiently implement this process, we follow a three step process: i) sort the input samples 
in ascending order; ii) convert sorted samples to values < j < 2"^ — 1; iii) associate each input 
sample with its converted value. 

Suppose input samples X" are sorted to X", where Xi < • • • < The index mapping between X" 
and X" is also recorded for the use in the association step. 

The values of X" are converted to using the algorithm defined via the pseudo-code below. The 
algorithm distributes n items among A bins in a "uniform" way even when A does not divide n. The 
process is based on the rate-matching algorithms used in modem cellular systems, e.g. [1], and is also 
similar to line-drawing algorithms in computer graphics. 



c ^ 0; k^O; 






while [j < n) 






c < — c + 






while (c > 1) 






ff. I k . 


3^3 + 1; 


c <— c — 1; 


end 






k*^k+l; 






end 







The last step rearranges to outputs such that the z*" output sample Ui is associated with the 
i*'^ input sample Xj. 
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Although the above procedures use 2 as the total number of possible values to be assigned, in general, 
any integer M may be substituted for 2"^, in which case the unit interval [0, 1) is partitioned into M 
equal sub-intervals, with the data distributed among them as uniformly as possible. 

To equiprobably quantize uniformly distributed samples with v bits per sample, the Quantizer 
determines the quantization boundaries as 

qi = —, < z < 2''. 

For a simple decoding process, the quantization error E is defined as the difference between U and the 
lower bound of the interval to which U belongs. Hence, the quantization error E is uniformly distributed 
between and ^. The transmission of such quantization errors E'" = {Ei, ■ ■ ■ ,En) over the public 
channel does not reveal any information about X;,. 

For the case of fixed point inputs ?7", if the number of bits per sample u in the Quantizer block used 
for generating is less than the number A of bits used for U, then the Quantizer block obtains the 
quantized value and the quantization error for U simply from the first v bits and the last A — v bits out 
of the A bits for U, respectively. 

Bob's Data Converter performs the same operations as Alice's. The Channel Decoder calculates the 
per-bit LLR based on the outputs of Bob's Data Converter block V"^ and the received quantization errors 
E"-. Unhke the jointly Gaussian model, the joint distribution of X and Y in this case is unknown and 
the accurate LLR is generally incomputable. 

We provide an extremely simple but effective way of computing the LLR. Heuristically, the LLR is 
related to the distances from V to the possible U values that cause Xf,,i = 1 and that cause j = 0. 
Suppose a uniform sample U is quantized and Gray coded to bits (-^^6,1, • • • , Xj^^y) and the quantization 
error of U is E. The heuristic LLR Lj for Xf,^i, 1 < i < v, is derived through the following pseudo-code: 
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tor I 


= 1 to V 








Li ^ 2E 


-2V + 1 


■ -V — In- — 1— 1 1 

2 ^ 't^-l; . 




it V < 0.5 






V ^ 


2V; 






E ^ 


2E; 






else 








V ^ 


1-2V; 






E ^ 




2E; 




end 






end 









Consider an example of £^ = 0.2 and v = 1. This quantization error indicates the two possible values 
of U are 0.2 and 0.7, which corresponds to X^ i = and Xf, i = 1, respectively. If V = 0.3, which is 
closer to the possible U value 0.2, then it is more likely that Xi, i is equal to '0' and the LLR for X;, i 
should be positive. It follows from the pseudo-code above that Li = 0.3. If V = 0.5, which is closer to 
the possible U value 0.7, then it is more likely that X^^i is equal to '1' and the LLR for X;, i should be 
negative. It follows from the codes above that Li = —0.1. 

As the Li obtained in the codes above is generally within the range of [—1, 1], the likelihood probability 
of each bit is restricted to the range of [0.27, 0.73]. Hence, it is desirable to re-scale Li to the operational 
range of the modified belief-propagation algorithm by multiplying with a constant. 

2) Simulation and Experimental Validation: We examine the performance of the proposed approach 
in a simulation environment with the jointly Gaussian channel model and with real channels. 

In order to examine the performance of the universal system, we apply it to the jointly Gaussian model, 
though noting that the parameters P, N of the jointly Gaussian model are not utilized in the universal 
system. The secret key rates achieved by the universal system are shown in Figure |9l For comparison, the 
secret key capacity and the upper bound for the secret key rates achieved by the over-quantized system 
are also plotted in the same figure. It is seen from the figure that the universal system performs well at low 
SNR, but deviates at high SNR. The deviation may be due to the trade-off made between the regularly 
quantized bits and the over-quantized bits. A different trade-off can push the deviation point higher at 
the expense of more communication (of over-quantized bits) and higher LDPC decoding complexity. 

We experimentally validated the feasibility of the above universal approach using 802.11 setup de- 
scribed earlier. In the two experiments stated in Section II, Bob sent Probe Request messages at an 
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average rate of 110 msj^ Typically, Bob received the corresponding Probe Response message from Alice 
within 7 ms after a Probe Request message was sent. It is reported in Table I that in the first experiment, 
the mutual information between Alice and Bob's samples is about 3.294 bits/sample, while the mutual 
information between Bob and Eve's samples is about 0.047 bit/sample. In the second experiment, the 
mutual information between Alice and Bob's samples is about 1.218 bits/sample, while the mutual 
information between Bob and Eve's samples is within the accuracy of the measurement. This suggests 
that the respective secret key capacitiejfl of the first and the second experimental environments are about 30 
(ss (3.294-0.047) bits/sample 0.11 second/sample) bps and 11 bps, provided that the channel coherence 
time is around 110 ms. 

Next, we check the secret key rates achieved by the universal system. For the purpose of generating 
keys in a short time duration, we apply a LDPC code with a shorter block length in the universal system. 
The code is a (3,6) regular LDPC code of codeword length 400 bits. The quantization parameter v is 
chosen as 3 for the first experiment and 2 for the second experiment. This implies that for each run of 
the system, a block of 134 (« 400/3) first experimental samples or 200 second experimental samples is 
sent to the universal system. 

Our experimental results show that in both cases. Bob is able to successfully decode Alice's bit sequence 
X;, of 400 bits. With the reduction of 200 bits, revealed as syndrome bits over the public channel, both 
terminals remain with 200 secret bits. In order to remove the correlation between the 200 secret bits and 
Eve's samples in the first experiment, which shows non-zero mutual information, we may need to squash 
out an additional 7 (ss 0.047* 134) bits from the 200 secret bits, resulting in 193 secret bits. Considering 
the period of collecting these 134 or 200 samples, we conclude that the secret key rate achieved by the 
universal system is about 13 bps for the first experiment and 9 bps for the second experiment. 

IV. Conclusions 

The wireless medium creates the unique opportunity to exploit location-specific and time-varying 
information present in the channel response to generate information-theoretically secret bits, which may 
be used as cryptographic keys in other security services. This abiUty follows from the property that in 
a multipath scattering environment, the channel impulse response decorrelates in space over a distance 
that is of the order of the wavelength, and that it also decorrelates in time, providing a resource for fresh 

''Here, we assume the channel coherence time is less than or equal to 110 ms. Hence, two consecutive CIRs at either terminal 
are assumed to be mutually independent. 

^We abuse the notion of capacity a bit as this "capacity" assumes i.i.d. channel samples. 
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randomness. In this paper, we have studied secret key extraction, under the assumption of a Rayleigh or 
Rician fading channel, and under a more general setting where we do not make any assumption on the 
channel distribution. We have developed two techniques for producing identical secret bits at either end 
of a wireless communication link and have evaluated each technique using channel measurements made 
using a modified 802. 1 1 system. The first technique is based on the observation of correlated excursions 
in the measurements at the two users while the second technique employs error-correction codes. The 
former method trades off the performance of the latter with a lower complexity and does not require 
knowledge of the channel coherence time. Since the time-varying nature of the channel acts as the source 
of randomness, it Umits the number of random bits that can be extracted from the channel for the purpose 
of a cryptographic key. The second method apphes to more general distributions for the shared channel 
information between a transmitter and receiver, and is able to achieve improved secret key rates at the 
tradeoff of increased complexity. Our evaluations indicate that typical indoor wireless channels allow us 
to extract secret bits at a practically useable rate, with minimal information about these secret bits being 
learned by an eavesdropper. Lastly, we note that as a final step, the legitimate participants in the protocol 
may wish to employ privacy amplification to provide added assurance that the eavesdropper cannot infer 
the bits being generated. 
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Fig. 1. A system level description of the level crossing algorithm. Messages exchanged over the air are shown in dotted lines. 
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Fig. 2. Probability of bit error pe for various values of m at different SNR levels (a — 0.8 in l|6ll, l|7]l) 
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Fig. 4. (a) Secret-bit rate for varying Doppler fd and fixed fs for various values of m (b) Rate as a function of function of 
quantizer levels g+ & parametrized by a. 




(a) Alice, Bob and Eve's 64-point CIRs from a common pair of Probe Request, Probe Response 
messages. 
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(b) Traces of the magnitudes resulting from 200 Alice, Bob and Eve's CIRs. 



Fig. 5. Some examples of experimental data. 
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Fig. 6. (a) Traces of Alice and Bob after subtracting average signal power. Using m = 5, A'' = 59 bits were generated in 110 
seconds (Rt — 0.54 s-bits/sec) while m — 4 gives A'^ = 125 bits (Rk = 1.13 s-bits/sec.) with no errors in each case, (b) A 
magnified portion of (a) 
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(a) Alice's secrecy processing. 
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(b) Bob's secrecy processing. 



Fig. 7. Block diagrams of the basic system. 
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Fig. 8. (a) Secret key rates achieved by the basic system, (b) Secret key rates achieved by the improved system. 
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Fig. 9. Secret key rates achieved by the universal system. 



October 27, 2009 



DRAFT 



